CreativeZVMPort < Main

Downloads
release
dev builds
extras
themes
Documentation
manual
wiki
device status
Support
forums
mailing lists
IRC
Development
bugs
patches
dev guide
Donate
Wiki > Main > CreativeZVMPort
---+!! Rockbox on the Creative Zen Vision:M 

%TOC%

<br />
---
---++ About

Watch the [[http://forums.rockbox.org/index.php?topic=3320.30][ZVM Port Thread]] and [[http://www.rockbox.org/tracker/task/8686][FS#8686]]

<br />
---
---++ Port Status

   * The LCD driver works
   * The button driver works, but there hasn't been a polling-method implemented; currently it is only interrupt based
   * The ATA driver works
   * The I²C(Inter-Integrated Circuit) driver works
   * The SPI(Serial Port Interface) driver should work, but is untested
   * The UART(Universal Asynchronous Receiver/Transmitter) driver should work, but is untested
   * The USB driver works partly(!EP0SETUP is received!), but there's something wrong with the interrupts
   * System rebooting works (3/4 of the times)

<br />
---
---++ Install Method

<center><b><font style="font-size: 16px">NOTE: THIS DOESN'T MEAN ROCKBOX IS AVAILABLE FOR THE ZVM!</font></b>%BR%Currently, all the bootloader does is load the original firmware.</center>

   * Linux
      * [[DevelopmentGuide][set up a Rockbox build environment]] and check out latest SVN (HINT: use the [[VMwareDevelopmentPlatform][VMWare image]])
      * Compile Rockbox as a bootloader: %BR% =cd [ROCKBOXDIR]= %BR% =mkdir build; cd build= %BR% =../tools/configure; make=
      * Download the latest original firmware updater program from [[http://support.creative.com/downloads/download.aspx?nDownloadId=10113][Creative]]
      * Compile mkzenboot:%BR% =cd ../tools= %BR% =make mkzenboot=
      * Execute mkzenboot (here using !ZENVisionM_30GB_PCFW_L21_1_62_02.exe as example):%BR% =./mkzenboot !ZENVisionM_30GB_PCFW_L21_1_62_02.exe ../build/rockbox.zvmboot nk.bin "Zen Vision:M"= %BR%(HINT: =./mkzenboot= lists all possible player names)
      * Use either utils/MTP/sendfirm or an other MTP utility to upload the firmware (nk.bin):%BR% =cd ../utils/MTP= %BR% =make sendfirm= %BR% =./sendfirm ../../tools/nk.bin=
   * Windows
      * Get a ZVM bootloader file (rockbox.zvmboot); currently only available through Linux compiling...
      * Download the latest original firmware updater program from [[http://support.creative.com/downloads/download.aspx?nDownloadId=10113][Creative]]
      * Compile mkzenboot:%BR% =cd ../tools= %BR% =mingw32-make mkzenboot.exe= %BR%Or download it [[%ATTACHURL%/mkzenboot.exe][here]]
      * Execute mkzenboot (here using !ZENVisionM_30GB_PCFW_L21_1_62_02.exe as example):%BR% =mkzenboot !ZENVisionM_30GB_PCFW_L21_1_62_02.exe rockbox.zvmboot nk.bin "Zen Vision:M"=
      * Use either utils/MTP/sendfirm or an other MTP utility (!CreativeWizard) to upload the firmware (nk.bin):%BR% =cd ../utils/MTP= %BR% =mingw32-make sendfirm.exe= %BR% =sendfirm ../../tools/nk.bin= %BR%Or download it [[%ATTACHURL%/sendfirm.zip][here]]

<br />
---
---++ Information about the ZVM 30GB

---+++ Pictures/scans

   * [[PicturesZVM][Scans of the Player]]
   * [[http://www.flickr.com/photos/chlazza/946305167/][More Pictures]]
   * [[http://www.anythingbutipod.com/archives/images/vision-m-dissasemble/disassemble-vision-m-21.jpg][And]] [[http://www.anythingbutipod.com/archives/images/vision-m-dissasemble/disassemble-vision-m-22.jpg][some]] [[http://www.anythingbutipod.com/archives/images/vision-m-dissasemble/disassemble-vision-m-23.jpg][more]]
   * [[http://www.anythingbutipod.com/archives/images/vision-m-dissasemble/disassemble-vision-m-14.jpg][Picture of the back]]
   * [[http://www.flickr.com/photos/27622164@N02/sets/72157606644285514/][And more pictures]]
   * Link to disassembly of [[http://www.flickr.com/photos/kikus/131356883/in/photostream/][the dongle]]
---+++ Internal components
| *Component* | *Info* | *&nbsp;<span style="border-bottom: 1px dashed black" title="Zen Vision:M 30GB">30</span>&nbsp;* | *&nbsp;<span style="border-bottom: 1px dashed black" title="Zen Vision:M 60GB">60</span>&nbsp;* | *&nbsp;<span style="border-bottom: 1px dashed black" title="Zen Vision">ZV</span>&nbsp;* | *&nbsp;<span style="border-bottom: 1px dashed black" title="Zen Vision:W">ZVW</span>&nbsp;* |
| [[http://www.rockbox.org/twiki/bin/view/Main/TexasInstrumentsTMS320][TI TMS320DM320]] | Dual Core ARM9/C5409 DSP System On Chip - !ARM926EJ-S product [[http://www.arm.com/products/CPUs/ARM926EJ-S.html][specs]] & [[http://infocenter.arm.com/help/topic/com.arm.doc.ddi0198d/DDI0198_926_TRM.pdf][datasheet]] | X | X | X | X |
| [[http://www.spansion.com/products/S29GL032M.html][Spansion S29GL032M]] | 4MB (=32Mb) flash memory | X | X | X | ? |
| [[http://www.ortodoxism.ro/datasheets2/d/0k6gzlgz5gyqce5f8ck0k3aa3iwy.pdf][Infineon HYB 25L256160AF-7.5]] (x2) | total of 64MB RAM: product is [[http://www.infineon.convergy.de/upload/documents/2006/cPD_016_06.pdf][discontinued]] | X | X |X | ? |
| [[http://www.nxp.com/#/pip/pip=%5Bpip%3DISP1583_6%5D%7Cpp%3D%5Bv%3Dd%2Ct%3Dpip%2Ci%3DISP1583_6%2Cfi%3D47806%2Cps%3D0%5D%7C%5B3%5D][Philips ISP1583BS]] | USB 2.0/ATA (IDE) controller | X | | X | ? |
| [[http://www.nxp.com/#/pip/pip=%5Bpip%3DISP1761_5%5D%7Cpp%3D%5Bv%3Dd%2Ct%3Dpip%2Ci%3DISP1761_5%2Cfi%3D47803%2Cps%3D0%5D%7C%5B3%5D][Philips ISP1761ET]] | USB 2.0(OTG/Client) / ATA (IDE) controller%BR%Linux [[http://sourceforge.net/projects/isp176x-hcd/][Host]] and [[http://sourceforge.net/projects/isp1761device/][Device]] driver |  | X | | ? |
| [[http://www.toshibastorage.com/main.aspx?Path=HardDrivesOpticalDrives/1.8-inchHardDiskDrives/MK3006GAL][Toshiba MK3006GAL]] (and [[http://www3.toshiba.co.jp/storage/english/spec/hdd/mk3006.htm][this]])%BR%[[http://www.hitachigst.com/tech/techlib.nsf/techdocs/0931DA63CD49990386257061007D29B5/$file/C4K60_Slim_e3.pdf][Hitachi C4k60 (pdf)]] | The Hitachi appears to be a zif connector while the Toshiba is an IDE | X | X | ? | ? |
| [[http://www.neodns.co.kr/specpdf/tft/(SEC)LTV250QV-F0B.pdf][Samsung LTV250QV-F02]]  | LCD has quite a few numbers on it: !V250QVF02S6516J12, USP5280371, GA060525 AO, !DA060124BC.%BR%Similar used in the [[CowonD2Info][Cowon D2]] | X | X |   | ? |
| [[http://www.allparts.cn/files/lcd/datasheet/(SPEC)%20LS037V7DD06(LCP-04031A).pdf][Sharp LS037V7DD06]]  | LCD has quite a few numbers on it: 52015893, !DUNTB0022PZZ 52, 018818.%BR% | | | X | ? |
| [[http://www.skc.co.kr/skhp/en/prod/bat/03.jsp][SKC LPCS285385]] battery | rated at 1250mAH at 3.7v | X | | ? | ? |
| [[http://www.nxp.com/#/pip/cb%3D%5Btype%3Dproduct%2Cpath%3D50812/50821/53559%2Cfinal%3DTEA5761UK_1%5D%7Cpip%3D%5Bpip%3DTEA5761UK_1%5D%5B0%5D][TEA5761UK]] ([[http://www.nxp.com/acrobat/datasheets/TEA5761UK_1.pdf][datasheet]]) | FM Radio%BR%Markings: TEA5 VCPOM &theta; 0.6&theta;5W433Y | X | X | ? | ? |
| [[http://www.microchip.com/stellent/idcplg?IdcService=SS_GET_PAGE&nodeId=1335&dDocName=en010287][Microchip/Motorola PIC18LF4320]] | Microcontroller, used for dock, buttons, etc%BR%[[http://sdcc.sourceforge.net/index.php][Compatible compiler]]%BR%Markings: -I/ML (e3)** 06061HO | X | X | X | ? |
| [[http://focus.ti.com/docs/prod/folders/print/tlv320aic23b.html][TI TLV320AIC23BZ]] ([[http://focus.ti.com/lit/ds/symlink/tlv320aic23b.pdf][datasheet]]) | Stereo Audio CODEC, 8-to 96-KHz, With Integrated Headphone Amplifier | X | X | ? | ? |
| RTC | This component hasn't been identified yet | X | X | ? | ? |
| [[http://focus.ti.com/lit/ds/symlink/sn74lvc08a.pdf][lLC08A]] | Quadruple 2-input positive-AND gate | X | X | ? | ? |
| [[http://www.chipdig.com/datasheets/download_datasheet.php?id=906443&part-number=SN74LV4053ADGVR][LW053A]] | Triple 2-channel CMOS analog multiplexers/demultiplexers%BR%(located right of onboard flash [possibly TV out]) | X | X | ? | ? |
| [[http://datasheet.digchip.com/477/477-54711-0-SN74CBTLV16211DL.pdf][TI CN211]]   | 24 - bit low voltage switch bus | X | X | ? | ? |
| [[http://www.linear.com/pc/productDetail.jsp?navId=H0,C1,C1003,C1037,C1773,P2447][Linear Technology LTC3455]] ([[http://www.linear.com/pc/downloadDocument.do?navId=H0,C1,C1003,C1037,C1773,P2447,D1820][datasheet]]) | Dual DC/DC Converter with USB Power Manager and Li-Ion Battery Charger | X | X | ? | ? |
| Toshiba !TC200G04SPG | Gate Array ASIC (Maybe used as CF controller?) | | | X | ? |
* This was a circle with "e3" in it.

---+++ How internals are connected
DM320:
   * I²C
      * PIC (at 0x07)
      * TLV320 (at 0x1A? unverified)
      * !TEA5761UK (at 0x24? unverified)
      * RTC (at 0x51)
   * EMIF
      * HDD (at 0x50FEE000)
      * Unknown (at 0x50FFC000)
      * ISP1583 (at 0x60FFC000)
      * SDRAM Controller
         * 64MB Infineon RAM (at 0x00900000)
      * FLASH Memory Interface
         * 4MB Spansion flash memory (at 0x00100000)
   * SPI
      * LCD (slave select pin is BITSET2/CLR2 |= (1 << 5) )
   * UART
      * LCD doesn't seem to work if UART isn't enabled
   * GIO
      * GIO0 is used as an interrupt triggered by the PIC
      * GIO2 is used as an interrupt triggered by the HDD
      * GIO7 is used as an interrupt triggered by the ISP1583
      * GIO26, GIO34 are used as the Video Encoder clock
      * GIO29, GIO32, GIO36, GIO35, GIO37, GIO40 are related to the LCD
      * GIO3, GIO5, GIO14 are related to the ATA controller/HDD
TLV320:
   * Control
      * I²C <= DM320
   * Audio
      * unknown <= !TEA5761UK
      * DSP mode <= C5409 DSP
PIC:
   * buttons
   * buttons backlight (unverified)
   * (piezo) clicker (unverified)
   * touchpad
   * headphones detection
   * dock connector
      * USB connector
      * power connector
      * TV out connector (unverified)
   * hold switch LED (unverified)
   * LCD backlight (unverified)
   * probably other stuff too...

<br />
---
---++Original Firmware

---+++Firmware Info

The firmware used by Creative is [[http://www.mentor.com/products/embedded_software/nucleus_rtos/index.cfm][Nucleus RTOS]].%BR%
They use Nucleus PLUS and the ARM925 TI v. 1.14 toolchain to compile it according to strings found in FBOOT.%BR%
This is based on !MicroWindows (Nano-X), as several assert messages are found pointing to (open source) source code. (even [[http://svn.neurostechnology.com/listing.php?repname=Nano-X&path=%2Ftrunk%2F&rev=4&sc=1][NeurosTechnology]] uses Nano-X)%BR%
Also [[http://www.libpng.org/pub/png/libpng.html][libpng]] is incorporated (and zlib of course).

Other strings of companies working on the firmware:
   * Copyright MGC 2004 - Nucleus PLUS - ARM925 TI v. 1.14
   * Accelerated Technology Internal Use Only - Serial Number: NP0000
   * Copyright(c) Founder Corporation.2005

----++++Modifying the firmware
Modifying the firmware is as easy as deleting a block/block data, inserting the new data, adjusting the Size attribute of the block and the CIFF block and computing the NULL checksum of the CIFF block (so *without* the NULL block).%BR%
You don't have to fill the entire firmware with all the blocks, if you for example just want to replace Hdeviceinfo.xml with another one, you only have to make a CIFF, CINF, DATA and NULL block (so you do not have to include all the others).

Another way is using [[http://www.epizenter.net/e107_plugins/forum/forum_viewtopic.php?144865][CreativeWizard]] (Windows only and requires .NET 2.0).

----++++Uploading a firmware
You can either compile the program located in utils/MTP/ in Rockbox SVN or you can get the [[http://www.epizenter.net/e107_plugins/forum/forum_viewtopic.php?69697.570#post_143211][hacked version of the official firmware updater]].

----+++Firmware Boot

   1. The boot loader (named FBOOT in the firmware) decrypts and loads the Rescue Mode software (FRESC), all from flash memory.
   1. The Rescue Mode software decrypts, decompresses and loads the actual player software (CENC/TL) from a file named jukebox2.jrm on the HDD.%BR%If the validation checks fails or switch is hold to ON/OFF, it'll load a Rescue Mode menu, which allows you to "reload" the firmware amongst other things.
      1. Try opening jukebox2.jrm(load it into RAM, disable MMU and I/Dcache and jump to 0x1EE0000), if it fails show error and go to Rescue Mode
      1. Check the internal database if file type was ©TL%BR%if(true): decrypt and decode and execute data%BR%else: show error and go to Rescue Mode
      1. Check the internal database if file type was CENC%BR%if(true): decode and execute data%BR%else: show error and go to Rescue Mode
      1. If file type is different: execute data
Note: prior to executing data, the first 4 bytes are checked if they match 'EDOC'; if check fails: show error and go to Rescue Mode.

The 'actual firmware loading' goes as follows:
   1. location 0x0 contains a jump to the reset vector
   1. the reset vector initializes the coprocessor and maps several memory addresses (including the USER DATA MAPPINGS; all of this isn't part of the Nucleus core)%BR%The mapping consist of these steps:
      1. there are 2 main variables in RAM (called mappings1 and mappings2 here);%BR%0x900000 is stored in mappings1 and (0x904000 | 0x13) in mappings2
      1. more info to come...
      1. USER_DATA (starts at 0x1C00004) is parsed as this:
         1. first 4 bytes are read into buffer (=length of data)%BR%if (buffer==NULL) return;
         1. next 4 bytes are read into second buffer (=address of data)
         1. if !(buffer2 & 3) { [copy data from (end of buffer2) to *(buffer2) for (buffer) bytes]; }%BR%else { buffer2-= 4; [copy data in pairs of 4 bytes from (end of buffer2) to *(buffer2) for (buffer) bytes]; }
         1. go back to step 1
   1. finally INC_INITIALIZE(first_available_memory); is called with first_available_memory pointing to the start of USER DATA MAPPINGS (=0x01C00000)
   1. INC_Initialize_State is set to INC_START_INITIALIZE and INC_INITIALIZE() initializes all basic Nucleus kernel entities
   1. Application_Initialize(first_available_memory); is called (this isn't part of the Nucleus core)
   1. INC_Initialize_State is set to INC_END_INITIALIZE and TCT_Schedule(); is called (starting the main Nucleus threading loop)

----++++0x1EE0000

This is the FRESCUE structure parsing code, located at 0x228 in FBOOT in ZVM firmware.%BR%
It disables all caches and MMU and cleans it. Then it parses the loaded data (given by arguments R0->memory pointer and R1->size) and loads it into the corresponding memory addresses.%BR%
Several checksum checks are done (described at [[CreativeZVMPort#jukebox2_jrm_file][jukebox2.jrm]]) and if one fails, code jumps to an infinite loop.%BR%
After all loading is done, code jumps to 0x0.

Below is a C code example for loading a firmware image.
<verbatim>
#define OF_firmware_load(mem_addr, size) asm volatile ( \
                                         "mov r1, %1\n" \
                                         "mov r0, %0\n" \
                                         "ldr pc, =0x1EE0000\n" \
                                         : \
                                         : "r"(mem_addr), "r"(size)\
                                         );
OF_firmware_load(ptr_to_loaded_image, size_of_loaded_image);
</verbatim>

----+++Upload Code To The Player

The code you want to upload should be ELF format. Scramble is included in Rockbox SVN. If you run it like this:%BR%
<verbatim>
scramble -creative=zvm inputfile outputfile
</verbatim>
It will take an ELF format file and output a Hjukebox2.jrm file wrapped up in a CIFF structure (while mapping the several memory locations in ELF format to EDOC format).

----+++LCD info

The LCD is controlled via the serial interface of the TMS320 (a driver in Rockbox is present) and the built-in OSD facilities (serial is only LCD on/off).

Some uncategorized data:

raw dump of spi_send_block: http://pastecode.com/?show=f627241eb%BR%
analyzed version:%BR%
<verbatim>
function spi_send_block(char arg_0, char arg_1) {
    IO_GIO_BITSET2 &= (1 << 0x5);
    spi_send_byte(0x74);
    spi_send_byte(0);
    spi_send_byte(arg_0 & 0xFF);
    spi_send_byte(0x25);
    IO_GIO_BITCLR2 &= (1 << 0x5);
    IO_GIO_BITSET2 &= (1 << 0x5);
    spi_send_byte(0x76);
    spi_send_byte( (arg_1 >> 8) & 0xFF);
    spi_send_byte(arg_1 & 0xFF);
    spi_send_byte(0x25);
    IO_GIO_BITCLR2 &= (1 << 0x5);
}
</verbatim>

LCD init function: http://mcuelenaere.pastebin.com/f23b3226a

----+++HDD partitioning info
The first sector consists of this structure:
<verbatim>
struct partition_struct
{
    unsigned int end;
    unsigned int start;
    char name[8];
};

struct hdd_struct
{
    char MBLK[4];
    int block_size;
    long long total_disk_size;
    struct partition_struct minifs;
    struct partition_struct cfs;
};
</verbatim>
A file header on the minifs partition consists of this (incomplete) structure stored at 0x144200 (= sector 0xA21):
<verbatim>
struct minifs_file
{
    char name[16];
    unsigned int unknown;
    unsigned int size;
    unsigned int chain1;
    unsigned int chain2; /* The same as above */
};
</verbatim>
There can be maximum 128 headers (so 32*128=0x1000 bytes)

*More info here:*
   * *[[https://sourceforge.net/projects/nomadrawexplore][Nomad Raw Explorer]]* at SF.net
   * CreativeMiniFS

Some interesting links:
   * <s>[[http://64.233.183.104/search?q=cache:0IjiSDeK-vkJ:nomadness.net/modules.php%3Fname%3DForums%26file%3Dviewtopic%26p%3D4126503+site:nomadness.net+minifs&hl=nl&ct=clnk&cd=1&gl=be&client=firefox-a][nomadness 1]]</s> ([[http://gim.6te.net/nomadness-1.html][BACKUP]])
   * <s>[[http://64.233.183.104/search?q=cache:K7au5Hh6BQIJ:nomadness.net/modules.php%3Fname%3DForums%26file%3Dviewtopic%26p%3D4128286+site:nomadness.net+minifs&hl=nl&ct=clnk&cd=6&gl=be&client=firefox-a][nomadness 2]]</s> ([[http://gim.6te.net/nomadness-2.html][BACKUP]])
   * <s>[[http://64.233.183.104/search?q=cache:B7XFIJ28ESgJ:nomadness.net/modules.php%3Fname%3DForums%26file%3Dviewtopic%26t%3D19142%26view%3Dprevious+site:nomadness.net+minifs&hl=nl&ct=clnk&cd=2&gl=be&client=firefox-a][nomadness 3]]</s> ([[http://gim.6te.net/nomadness-3.html][BACKUP]])

Notes:
   * The disk available in the Removable Drive option in the OF is stored as a file named VFSYS in the cfs partition. Currently it isn't possible to access it as the cfs file system hasn't been figured out.
   * The minifs file system is supposedly based on BFS (not !BeFS) which was called minifs in earlier days (now it is in the VSTa OS)
   * There is a [[%ATTACHURL%/DiskDump.rar][disk dump]] available (see RAR comments for more info).

---+++Firmware Format
[[%ATTACHURL%/ZVM-Blocks.bt][010 Editor Template]]

----++++Description
The firmware is in little endian on ARM targets.

A firmware always starts with the ASCII string =FFIC= followed by the total size of the file minus the last (=NULL=) block and possibly some padding bytes.  After this 8-byte header comes a block structure, always started with a 4-byte string header (e.g. =FNIC=, =ATAD=, =LLUN=, =CNEC=, =0TXE= or =LT©=), followed by the Size of the block.  Then you have, based on the type of block, either a) a data block with size of Size or b) a 32-byte Unicode filename and the data block of (Size-32 bytes).

----++++Overview table
| *Block Type* | *Block Size* | *Description* | *Extra* |
| [[CreativeZVMPort#CINF_block][FNIC]] | 96 bytes | player name (e.g. Creative Zen Vision:M) | Unicode formatted |
| ATAD | depends on Size attribute | | if name starts with F->Flash, H->HDD |
| [[CreativeZVMPort#NULL_block][LLUN]] | 20 bytes | contains HMAC-SHA1 checksum of CIFF block | |
| [[CreativeZVMPort#TL_block][CNEC/LT©]] | depends on Size attribute | encrypted player data(gets written to jukebox2.jrm on HDD) | has no Description attribute |
| [[CreativeZVMPort#EXT0_block][0TXE]] | depends on Size attribute | gets written to internal device (either mcu0 or ide0) | name attribute is *24 bytes* long |

----++++Normal files to be found in an official firmware
| *Block Type* | *Name* | *Information* | *File Format* |
| FINC | n.a. | player string | |
| ATAD | [[CreativeZVMPort#Flash_files][FBOOT]] | flash boot loader | [[%ATTACHURL%/fboot_decrypt.cpp][fboot_decrypt.cpp]] |
| ATAD | [[CreativeZVMPort#Flash_files][FRESC]] | flash rescue mode (key is 'Copyright (C) CTL. - zN0MAD iz v~p0wderful!') | |
| LT© | n.a. | hdd firmware file | [[%ATTACHURL%/ZVM-Firm.bt][jukebox2.jrm]] |
| ATAD | Hjukebox.grs | graphics and other UI data | [[%ATTACHURL%/ZVM-Jukebox-grs.bt][jukebox.grs]] |
| ATAD | Hjukebox2.jrs | multilingual strings | [[%ATTACHURL%/ZVM-Jukebox2-jrs.bt][jukebox2.jrs]] |
| ATAD | HCreative_T.TTF | Unicode font | |
| ATAD | HCreative_S.TTF | Unicode font | |
| ATAD | Hsplash.jbm | hdd boot loader graphics | [[%ATTACHURL%/ZVM-JBM2.bt][JBM2]] |
| ATAD | Hdevicon.ico | icon used in MTP mode | |
| ATAD | Hdevlogo.png | picture of 'CreAtive' | |
| ATAD | Hdeviceinfo.xml | MTP description | |
| ATAD | [[CreativeZVMPort#jukebox_opt_file][Hjukebox.opt]] | player settings (only found in EU firmware -> EU volume cap is present in it) | |
| 0TXE | Pmcu0 (mcu0 = internal used name for the PIC) | contains the binary code for the PIC | [[%ATTACHURL%/ZVM-EXT0.bt][EXT0]] |
| LLUN | n.a. | firmware checksum | |

----++++CINF block
The CINF block is the identifier of the firmware i.e. it says if the firmware belongs to a Creative ZVM 30/60GB, Creative ZEN, etc..%BR%
For example: the 30GB ZVM contains the *Unicode* string 'Creative Zen Vision:M' and the 60GB contains 'Creative Zen Vision:M Go!'.

----++++NULL block
The NULL block in the current Creative ZVM's is a HMAC-SHA-1 computed checksum of the CIFF block using the key for your device.

----++++©TL block
The ©TL block gets written to the ZVM's HDD as jukebox2.jrm%BR%
It is encrypted using Blowfish in CBC mode with the key used for your device and after that you have to decompress/decode it using the CENC algorithm (described on [[DellDJPort]]).

----++++EXT0 block
This contains the code uploaded to the PIC. The format is:
<verbatim>
char header[4];
char padding[2];
unsigned char length_a;
unsigned char length_b;

total_size = (length_b + (length_a << 8) + 0xA) & 0xFFFF;
</verbatim>

----++++jukebox.opt file
This file contains the firmware's factory-set settings; like in the EU firmware it has VMX=0, which defines the EU volume cap. Based on firmware reverse engineering the player also accepts DBG=1 and FM=0.%BR%
Presumably the first one sets a debug flag (nothing notable happens, I've tested it myself) and the second one could disable the FM radio functionality (not tested).

----++++jukebox2.jrm file
The format of this file is similar to the nk.bin format: it contains a main block (EDOC), 4 bytes long followed by a WORD which indicates the size of the file.%BR%
Then you have another WORD which has a currently unknown value (can be set at 0x0000 without problems).%BR%
After that you have an array of this type of struct:
<verbatim>
typedef struct {
UINT Address;
UINT Length;
UINT Checksum;
UCHAR Data[Length];
} BLOCK;
</verbatim>
Address is the physical address to which Data is loaded.%BR%
This array loops until the end of the CODE block.

The checksum is calculated as follows:
<verbatim>
FSeek(0xC);
local int i = 0x239C;
local uint j = 0;
local uint temp = 0;
while(i>0){
	if(i<4) break;
	temp = ReadUInt(FTell()); //FTell() tells us the current stream position and ReadUInt() reads 4 bytes
	j += temp + (temp>>16);
	FSkip(4); //FSkip() skips x bytes in the stream (ReadUInt() doesn't move the pointer)
	i -= 4;
	if(i<4) break;
	temp = ReadUInt(FTell());
	j += temp + (temp>>16);
	FSkip(4);
	i -= 4;
	if(i<4) break;
	temp = ReadUInt(FTell());
	j += temp + (temp>>16);
	FSkip(4);
	i -= 4;
	if(i<4) break;
	temp = ReadUInt(FTell());
	j += temp + (temp>>16);
	FSkip(4);
	i-= 4;
}
j = j << 16;
Printf("%x", j);
</verbatim>

At the end of the file you have another block (NULL) - the header is also 4 bytes long - followed by the size in WORD format (which is always 20 bytes) and then (presumed) a SHA-1-HMAC hash of the CODE block; although the key hasn't been found yet; but the device seems to ignore this block if it isn't present.

----++++Flash files
The format used is unknown, as no reverse engineering has been done to find this.%BR%
What is presumed, is that following files are on the flash chip:
   * BOOT: contains Nucleus kernel + custom software; loads RESC; can be identified by the 'CreAtive' splash screen; contains encrypted data starting at 0xB000: RSA encrypted with 128-byte public key located at 0x410; view [[%ATTACHURL%/fboot_decrypt.cpp][fboot_decrypt.cpp]] code for more info%BR%This is written to the beginning of flash and is executed when the device is reset
   * RESC: structure is the same as jukebox2.jrm; contains Nucleus kernel + custom software; loads jukebox2.jrm; can be identified by the 'ZEN' splash screen
   * TSIG
   * CONF
   * TOC0 (not sure)
   * PFM1 (not sure)

[[%ATTACHURL%/flash.rar][Flash dump]] is available

----+++Other Creative players' firmware information
Since these information about the firmware applies to (almost?) the whole Creative Zen line, you'll find here some info for other players (like NULL block key, CINF header, ©TL block key, ...)

| *Player* | *CINF* | *NULL key* | *©TL* |
| Creative Zen Vision:M | Creative Zen Vision:M | CTL:N0MAD&#124;PDE0.DPMP. | 1sN0TM3D az u~may th1nk*Creative Zen Vision:M |
| Creative Zen Vision:M 60GB | Creative Zen Vision:M Go! | CTL:N0MAD&#124;PDE0.DPMP. | 1sN0TM3D az u~may th1nk*Creative ZEN Vision:M (DVP-HD0004) |
| Creative ZEN | Creative ZEN | CTL:Z3N07&#124;PDE0.DPMP. | 1sN0TM3D az u~may th1nk*Creative ZEN |
| Creative ZEN X-Fi | Creative ZEN X-Fi | CTL:Z3N07&#124;PDE0.DPMP. | 1sN0TM3D az u~may th1nk*Creative ZEN X-Fi |
| Creative ZEN Mozaic | Creative ZEN Mozaic | CTL:Z3N07&#124;PDE0.DPMP. | 1sN0TM3D az u~may th1nk*Creative ZEN Mozaic |
| Creative Zen Vision | Creative Zen Vision ©TL | CTL:N0MAD&#124;PDE0.DPMP. | 1sN0TM3D az u~may th1nk*Creative Zen Vision |
| Creative Zen Vision W | Creative Zen Vision W | CTL:N0MAD&#124;PDE0.DPMP. | 1sN0TM3D az u~may th1nk*Creative ZEN Vision W |
| Creative Zen Micro | | CTL:N0MAD&#124;PDE0.SIGN. | 1sN0TM3D az u~may th1nk*Creative Zen Micro |
| Creative Zen !MicroPhoto | | CTL:N0MAD&#124;PDE0.SIGN. | 1sN0TM3D az u~may th1nk*Creative Zen !MicroPhoto |
| Creative Zen Sleek | | CTL:N0MAD&#124;PDE0.SIGN. | 1sN0TM3D az u~may th1nk*Creative Zen Sleek |
| Creative Zen Sleek Photo | | CTL:N0MAD&#124;PDE0.SIGN. | 1sN0TM3D az u~may th1nk*Creative Zen Sleek Photo |
| Creative Zen Touch | | CTL:N0MAD&#124;PDE0.SIGN. | 1sN0TM3D az u~may th1nk*Creative Zen Touch |
| Creative Zen Jukebox Xtra | | CTL:N0MAD&#124;PDE0.SIGN. | 1sN0TM3D az u~may th1nk*NOMAD Jukebox Zen Xtra |
| Creative Zen V | Creative ZEN V | CTL:N0MAD&#124;PDE0.DPFP. | 1sN0TM3D az u~may th1nk*Creative ZEN V |
| Creative Zen V Plus | Creative ZEN V Plus | CTL:N0MAD&#124;PDE0.DPFP. | 1sN0TM3D az u~may th1nk*Creative ZEN V Plus |
| Creative Zen V Video | Creative ZEN V (Video) | CTL:N0MAD&#124;PDE0.DPFP. | 1sN0TM3D az u~may th1nk*Creative ZEN V (Video) |

<br />
---
----++ Tools

----+++ !CreativeWizard

!CreativeWizard is a .NET 2.0 application intended for analyzing and modifying Creative Zen firmwares. You can download it at [[http://www.epizenter.net/e107_plugins/forum/forum_viewtopic.php?144865][epiZENter]].%BR%
For creating a firmware, following steps are required:
   1. 'Make firmware'
   1. 'Select your player'
   1. choose your player from the list and press OK
   1. 'Add block'
   1. select the newly added block
   1. change type to 'DATA'
   1. check 'Use file instead of data'
   1. type 'Hjukebox2.jrm' in 'Filename' textarea
   1. choose the file
   1. press 'Create Firmware'
   1. press 'Yes'
   1. press 'OK'
   1. in main window: press 'Upload Firmware'
   1. choose your firmware and upload it to your player

----+++ !ZenUtils
!ZenUtils was made by zook (Rasmus Ry) and is now available in SVN.

<br />
---
---++ External Links

   * [[http://www.rockbox.org/irc/reader.pl?date=20070302#02:05:59][Transcript of initial IRC meeting]]
   * [[http://www.archopen.org/tiki-download_file.php?fileId=6][TMS320DSC24 Manual (pdf)]] - Same DSP, similar ARM core as what is in the ZVM 
   * [[http://pinouts.ru/PDA/zen-vision-dock_pinout.shtml][Dock Pinout]]
   * [[http://www.anythingbutipod.com/archives/2006/04/zen-vision-m-video-cable-other-4pole-35mm-pinouts.php][Video Adapter Pinout]]
   * [[http://open.neurostechnology.com/node/1020][Free C54x compiler from TI]]
   * [[http://darchon.net/gsoc2007.html][TMS320 ARM/DSP bridge]]
   * [[http://mapusoft.com/admin/wp-content/uploads/nucleus_os_changer_datasheet.pdf][reference to some Nucleus OS API's]]
   * [[https://svn.neurostechnology.com/hackers/adam/trunk/doc/][more TI related datasheets]]
   * [[http://open.neurostechnology.com/files/DM320-DevBoard-0.9.0.doc][NeurosTechnology DM320 DevBoard specifications]]
   * [[http://forums.creative.com/creativelabs/board/message?board.id=dap&thread.id=3&view=by_date_ascending&page=1][getting into Rescue Mode for various Creative devices]]
   * [[http://libnjb.cvs.sourceforge.net/*checkout*/libnjb/libnjb/HACKING][information about the filesystems used in the firmware]] (cfs, minifs)
   * [[http://www.gruppo4.com/~tobia/zenrecover.shtml][site containing information regarding the cfs filesystem]]
   * [[http://njbfs.sourceforge.net/][Linux NJB FS kernel driver]]

<br />
---
---++ Wiki Links

   * CreativeZenTouch
   * DellDJPort
   * TexasInstrumentsTMS320
   * OlympusMR500Info - Link to an other !TMS320DM320 based target
   * ZVMFirmwareLoader - Conversation where the hard drive was removed and the ZVM was booted up.  Looks like the majority of the firmware comes off of the hardrive and the recovery console is booted from the flash memory.
   * CreativeZenV

---
CategoryFrontpage: Creative Zen Vision:M Port Index [New Ports]
I	Attachment	Action	Size	Date	Who	Comment
rar	DiskDump.rar	manage	87.8 K	20 Apr 2008 - 11:25	MaurusCuelenaere	A diskdump of a freshly formatted Creative ZVM (see RAR comments)
asm	Pmcu0.asm	manage	205.9 K	23 Apr 2008 - 12:38	MaurusCuelenaere	asm dump of the PIC's firmware
bt	ZEN_X-Fi_cnv2uni.bt	manage	1.1 K	13 Aug 2008 - 12:26	MaurusCuelenaere	010 Editor cnv2uni.tbl structure template
bt	ZVM-Blocks.bt	manage	1.4 K	21 Nov 2007 - 17:28	MaurusCuelenaere	010 Editor block structure template
bt	ZVM-EXT0.bt	manage	0.9 K	21 Nov 2007 - 17:32	MaurusCuelenaere	010 Editor EXT0 block structure template
bt	ZVM-Firm.bt	manage	1.1 K	17 Feb 2008 - 12:06	MaurusCuelenaere	010 Editor Jukebox2.jrm structure template
bt	ZVM-JBM2.bt	manage	0.4 K	21 Nov 2007 - 17:29	MaurusCuelenaere	010 Editor Splash.jbm structure template
bt	ZVM-Jukebox-grs.bt	manage	1.3 K	21 Nov 2007 - 17:30	MaurusCuelenaere	010 Editor Jukebox.grs structure template
bt	ZVM-Jukebox2-jrs.bt	manage	1.3 K	21 Nov 2007 - 17:31	MaurusCuelenaere	010 Editor Jukebox2.jrs structure template
c	edoc2elf.c	manage	6.1 K	14 Sep 2008 - 10:44	MaurusCuelenaere	Converts EDOC to ELF files
cpp	fboot_decrypt.cpp	manage	3.4 K	17 Feb 2008 - 11:10	MaurusCuelenaere	FBOOT decryption code
rar	flash.rar	manage	570.0 K	18 May 2008 - 20:18	MaurusCuelenaere	Flash dump of the ZVM
zip	idc_utils.zip	manage	9.8 K	14 Sep 2008 - 10:42	MaurusCuelenaere	Zook's IDA Utility scripts
exe	mkzenboot.exe	manage	95.0 K	29 Aug 2008 - 00:14	MaurusCuelenaere	Windows build of mkzenboot
zip	sendfirm.zip	manage	42.8 K	29 Aug 2008 - 00:16	MaurusCuelenaere	Windows build of sendfirm
zip	zenldr.zip	manage	34.0 K	27 Aug 2008 - 16:47	MaurusCuelenaere	IDA FRESC/TL structure parser
r157 - 02 Jun 2013 - 18:58:01 - AmauryPouly